Update rpmconf-matt to reflect that I've filed a bug about the failure

[utils/utils.git] / rpmconf-matt

diff --git a/rpmconf-matt b/rpmconf-matt
index 4cb5093..7f28ad7 100755 (executable)
--- a/rpmconf-matt
+++ b/rpmconf-matt
@@ -3,14 +3,14 @@
 
 # SECURITY NOTICE: If your system is missing the original version (.rpmbase) of
 # a configuration file you have modified, rpmconf-matt will automatically get it
 
 # SECURITY NOTICE: If your system is missing the original version (.rpmbase) of
 # a configuration file you have modified, rpmconf-matt will automatically get it

-# by downloading the original package with "dnf download", which (IIUC) does not
-# check the package's GPG signature even if dnf is normally configured to do so.
-# (TODO: File an upstream bug about this?)  rpmconf-matt checks the digest of
+# by downloading the original package with "dnf download", which does not
+# check the package's GPG signature even if dnf is normally configured to do so
+# (https://bugzilla.redhat.com/show_bug.cgi?id=1879791).  rpmconf-matt checks the digest of

 # the file before using it, but a fuzzed package might be able to compromise
 # your system during extraction.  This is less of a problem if your repository
 # metadata is integrity protected (e.g., by SSL on the metalink or repomd)
 # the file before using it, but a fuzzed package might be able to compromise
 # your system during extraction.  This is less of a problem if your repository
 # metadata is integrity protected (e.g., by SSL on the metalink or repomd)

-# because "dnf download" checks the digest of the downloaded package before
-# exiting successfully.
+# because "dnf download" refuses to save a package whose digest does not match
+# the metadata.

 
 # Known blockers to submission to Fedora: Basically removing assumptions specific to my setup.
 # - Decide how to name it vs. existing "rpmconf" in Fedora
 
 # Known blockers to submission to Fedora: Basically removing assumptions specific to my setup.
 # - Decide how to name it vs. existing "rpmconf" in Fedora